[Palo Alto]Bytes needed for unknown-tcp

Reference:
https://live.paloaltonetworks.com/t5/Management-Articles/What-does-the-Number-of-Bytes-in-the-Traffic-Log-represent/ta-p/56208
https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711
https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711

I have a rule that uses icmp/ping/traceroute as application, and the service is Any instead of the correct “application-default”, nmap will show that a lot of ports are opened.

I use a telnet to the target with the port, and keep pressing enter to send data over the firewall.

the firewall requires enough bytes to determine which application the traffic is allowed, the magic number is between 450 and 465 bytes.

firewall when receiving 450 or 465 bytes will give up identifying the application and mark the traffic as unknown-tcp and drops the traffic.

Advertisements
This entry was posted in General stuffs and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s